loadarchive: guard against locale-archive corruption (Bug #25115)

_nl_load_locale_from_archive() checks for a zero size, but
divides by both (size) and (size-2).  Extend the check to
guard against a size of two or less.

Tested by manually corrupting locale-archive and running a program
that calls setlocale() with LOCPATH unset (size is typically very
large).

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

diff --git a/locale/loadarchive.c b/locale/loadarchive.c
index 981f68d410fdfc1dcd51c7dda8822bd1e796efe5..b4a73d5c9419890d481079f75314a3059a0373be 100644 (file)
--- a/locale/loadarchive.c
+++ b/locale/loadarchive.c
@@ -274,7 +274,7 @@ _nl_load_locale_from_archive (int category, const char **namep)
                                        + head->namehash_offset);
 
   /* Avoid division by 0 if the file is corrupted.  */
-  if (__glibc_unlikely (head->namehash_size == 0))
+  if (__glibc_unlikely (head->namehash_size <= 2))
     goto close_and_out;
 
   idx = hval % head->namehash_size;